chore(deps): update module github.com/docker/distribution to v2.8.2+incompatible [security]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	OpenSSF
github.com/docker/distribution	indirect	minor	v2.7.1+incompatible -> v2.8.2+incompatible

GitHub Vulnerability Alerts

GHSA-qq97-vm5h-rrhg

Impact

Systems that rely on digest equivalence for image attestations may be vulnerable to type confusion.

Patches

Upgrade to at least v2.8.0-beta.1 if you are running v2.x release. If you use the code from the main branch, update at least to the commit after b59a6f827947f9e0e67df0cfb571046de4733586.

Workarounds

There is no way to work around this issue without patching.

References

Due to an oversight in the OCI Image Specification that removed the embedded mediaType field from manifests, a maliciously crafted OCI Container Image can cause registry clients to parse the same image in two different ways without modifying the image’s digest by modifying the Content-Type header returned by a registry. This can invalidate a common pattern of relying on container image digests for equivalence.

For more information

If you have any questions or comments about this advisory:

• Open an issue in distribution
• Open an issue in distribution-spec
• Email us at cncf-distribution-security@lists.cncf.io

CVE-2023-2253

Impact

Systems that run distribution built after a specific commit running on memory-restricted environments can suffer from denial of service by a crafted malicious /v2/_catalog API endpoint request.

Patches

Upgrade to at least 2.8.2-beta.1 if you are running v2.8.x release. If you use the code from the main branch, update at least to the commit after f55a6552b006a381d9167e328808565dd2bf77dc.

Workarounds

There is no way to work around this issue without patching. Restrict access to the affected API endpoint: see the recommendations section.

References

/v2/_catalog endpoint accepts a parameter to control the maximum amount of records returned (query string: n).

When not given the default n=100 is used. The server trusts that n has an acceptable value, however when using a
maliciously large value, it allocates an array/slice of n of strings before filling the slice with data.

This behaviour was introduced ~7yrs ago [1].

Recommendation

The /v2/_catalog endpoint was designed specifically to do registry syncs with search or other API systems. Such an endpoint would create a lot of load on the backend system, due to overfetch required to serve a request in certain implementations.

Because of this, we strongly recommend keeping this API endpoint behind heightened privilege and avoiding leaving it exposed to the internet.

For more information

If you have any questions or comments about this advisory:

• Open an issue in distribution repository
• Email us at cncf-distribution-security@lists.cncf.io

[1] faulty commit

---

Release Notes

docker/distribution (github.com/docker/distribution)

v2.8.2+incompatible

Compare Source

v2.8.1+incompatible

Compare Source

v2.8.0+incompatible

Compare Source

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[sourcery-ai]

Reviewer's Guide by Sourcery

This pull request updates the github.com/docker/distribution module from v2.7.1+incompatible to v2.8.0+incompatible to address a security vulnerability related to type confusion when relying on digest equivalence for image attestations. The update is a minor version bump.

No diagrams generated as the changes look simple and do not need a visual representation.

File-Level Changes

Change	Details	Files
Updated the github.com/docker/distribution module to address a security vulnerability.	Updated the module version in go.mod. Updated the module checksum in go.sum.	app/platform/fabric/e2e-test/specs/go.mod app/platform/fabric/e2e-test/specs/go.sum

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!
• Generate a plan of action for an issue: Comment @sourcery-ai plan on
  an issue to generate a plan of action for it.

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

We have skipped reviewing this pull request. It seems to have been created by a bot (hey, renovate[bot]!). We assume it knows what it's doing!